For those of you that think professional hackers don’t care about your small business, let me introduce you to Zeus, the number one threat of 2009. According to SC Magazine:
“Zeus: Also known as Ztob, this bank credential-stealing trojan is masterfully built. It is designed to evade anti-virus detection and then sit quietly in the background until victims login to their accounts. Infections have hit small businesses particularly hard this year, sometimes resulting in individual losses of hundreds of thousands of dollars.”
“72% of small businesses have no formal internet security policies”
Over the past fifteen years, I have tried repeatedly to educate small business owners about the importance of protecting their information and technical infrastructure. The number one answer I receive is “Why would a hacker want to come after my small business?” The answer is very simple “because they can”. Most SMB’s (Small Medium Business) don’t think twice about physical security and gladly sign the check every month, however, they have little regard for information security.
Over the past five years, due to compliance and extremely large financial losses, most large companies have realized the value of investing in protecting their information and their assets. Most large companies have enough of a cash reserve and or insurance to survive an electronic financial theft. Most of them will even pay the thief to not make the crime public due to the negative publicity.
Now that the bigger businesses are pretty secure and they have very smart people chasing the bad guys, the attention has gone to the small businesses and the home users.
Here is how Zeus works.
First the hackers go after the person at a SMB that is in charge of online banking (sometimes a contracted accountant/CPA). Then the hackers target this person or their PC with emails and other methods to get them to click on a bad link. Some of the links are an exact replica of the bank’s online banking web page. Once the malware has been installed on the computer and the bank account information has been harvested, these bots (automatic applications) that will drain your account in less than 5 minutes. Once the cyberthieves login to your bank account, the worm will create automated clearinghouse transfers to so called money mules, individuals recruited via “work from home” scams.
That’s right, all gone, just like that, and nobody can really help you. The money is gone outside the country, which is out of the FBI’s jurisdiction. Typically, the money is laundered through several accounts before ending up somewhere in Eastern Europe, which makes it difficult for even Interpol to track down.
Another quote from SC Magazine: “This is the most advanced banking trojan we have ever seen. You give up that token (two layer authentication) and within 60 seconds your account is empty.”
After hearing this, most SMB owners (who always have an answer for everything) come back and say “what about my Insurance”. Bad news, if you fail to protect your network and computers, and not educate your users, it is YOUR fault. It is similar to not having a monitored alarm system for your store, who would insure you?
What about my anti-virus or anti-malware software you might ask? Traditional signature-based AV solutions have trouble detecting Zeus because of its encrypted packing algorithm. Hmmm, still think the cyberthieves are only after the big businesses? This type of malware is created by some of the best hackers in the world. If your business is vulnerable, its a matter of time before they get to you.
Can your small business afford to operate without the daily operating funds it needs to continue doing business? Probably not.
Will your vendors and landlord wait to get paid because they feel bad for you? Unlikely.
In conclusion, if you are a small business owner, information security should be at the top of your priority list for 2010, especially if you want to grow your business to the next level. If you are wondering what to do, hire a security consultant who will help you secure your network and educate your end users / contractors. Remember, if you use a PC tech/geek service, you are going to get your money’s worth. Do you use just anyone for your finances and bookkeeping or a trusted certified professional like a CPA?
For more information about Zeus, just search Google for “Zeus Malware”.
References: SC Magazine, December 2009 edition.